The algorithm SHA1 has long since been deemed too weak to use and has been considered deprecated for quite a few years now. If you are seeing the message in the title of this article then you are likely still using the old SHA1 timestamp server and an SHA1 timestamp with your signature.
To fix this make sure you're using the SHA256 timestamp server http://timestamp.comodoca.com/?td=sha256 as the SHA1 server has been deprecated as of May 30, 2020 (all the SHA1 roots have now expired).
Use it like this :
signtool.exe sign /f MyCert.pfx /p /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /v foo.exe
(You'll have your own values for the PFX file, password and file to sign of course)
For legacy systems (Pre-Vista) it's likely best just to not include a timestamp, but to use a SHA1 file digest as well. In order to do that with Signtool, you would use command lines like this (both of them) :
signtool.exe sign /f MyCert.pfx /p <PFX password> /v foo.exe
signtool.exe sign /f MyCert.pfx /p <PFX password> /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /as /v foo.exe
That creates two signatures on the file, one that uses a SHA1 file digest with no timestamp, and one that uses a SHA256 file digest and timestamp. SHA256 is supported on Vista+.
The old SHA1 timestamp URL will still work, it just won't provide a 'real' SHA1 timestamp any longer. Older legacy systems should just ignore the SHA384 or SHA256 timestamp, so there is no harm in using them.